CERT Warns of SSH Vulnerabilities

The security alert
said implementations of the SSH transport layer protocol contained
vulnerabilities that affect SSH clients and servers and occur before user
authentication takes place.

Vulnerable vendors include F-Secure, Intersoft International, and Pragma
Systems. CERT noted that the popular OpenSSH and IBM implementations were not
exploitable via these attacks.

SSH is a program used to log into another computer over a network, to
execute commands in a remote machine and to move files from one machine to
another. It provides authentication and secure communications over
insecure channels and is widely-used as a replacement for rlogin, rsh, rcp,
and rdist.

CERT said security consultants Rapid7 ran a suite of test cases, dubbed
SSHredder, that examined the connection initialization, key exchange and
negotiation phase of the SSH transport layer protocol and found the multiple
bugs in different vendors' SSH products. "These vulnerabilities include
buffer overflows, and they occur before any user authentication takes
place," the Center warned.

In severe cases, CERT warned that remote attackers could execute
arbitrary code with the privileges of the SSH process. "Both SSH servers and
clients are affected, since both implement the SSH transport layer protocol.
On Microsoft Windows systems, SSH servers commonly run with SYSTEM
privileges, and on UNIX systems, SSH daemons typically run with root
privileges," it added.

In the case of SSH clients, any attacker-supplied code would run with the
privileges of the user who started the client program, with the possible
exception of SSH clients that may be configured with an effective user ID of
root (setuid root), according to the advisory. "Attackers could also crash a
vulnerable SSH process, causing a denial-of-service
(define:dos_attack>.

The Center urged users to apply the appropriate vendor patches or
restrict access to SSH servers to trusted hosts and networks using
firewalls or other packet-filtering systems.

"While these workarounds
will not prevent exploitation of these vulnerabilities, they will make
attacks somewhat more difficult, in part by limiting the number of potential
sources of attacks," CERT said.